Well, turns out there was a fairly simple SQL injection hack that enabled anyone from the public to manipulate the Battle Blog database. The folks who discovered this posted detailed information about the exploit. I wish they hadn't zapped all of Battle Blog's previous entries and comments to prove their point, but, I'm happier to have the information. So, uh, thanks?

The fix in the short-term is to simply test whether or not any value passed in the entry querystring is in fact numeric only. This should result in anything else, like an UPDATE command to your Battle Blog table, throwing an error or doing whatever else you decide should be done. In current Battle Blog code, you can add the following line for a quick fix at line 82 in comment.asp and article.asp:

82> if IsNumeric(CurrentEntry)=False then CurrentEntry=""

Then there is the more efficient fix (e-mailed to me by a Battle Blog user that has forked his own):

In comment.asp and article.asp, find the line that reads:

CurrentEntry = request.querystring("Entry")

and change it to:

CurrentEntry = cint(request.querystring("Entry"))

For either quick fix, these just throw an error whenever the hack is attempted.

I'll be reviewing the code base for more potential SQL vulnerabilities, but these seem to be the only ones manipulatable by the public. While I'm doing this I am suspending the availability of Battle Blog until I've posted the fixed version that does something more eloquent.

If the hackers in question have any other information about how to prevent this, I'm all ears. Just keep it in a comment - not practice. I know that's probably not as fun, but consider yourselves already scored here, eh?